Bogdan Rudas wrote:
Since TNC ignored by Microsoft, could are there other solutions to enforce compliant and quarantine violators, agent-based solutions, MDM and so in during network authentication?
There are scores of commercial offerings. All have their plusses and minuses. There are no clear dominant winners in this market. I'm hopeful Aruba ClearPass and its sub-tools will eventually consolidate into something a bit more usable than its current state (they are integrating their separate onboarding and posture modules more fluently into ClearPass but it seems to be taking some time to re-emerge as a well documented and supported feature set.) Android and Microsoft have been less than helpful in bringing their clients and supplicants and provisioning capabilities up to snuff in a way that helps these products do what they want to do. Apple has been a bit better at this, but could still use to do a few things. All the OS and infrastructure companies want to get you married to their own byzantine suite of products that expect you yank up whatever else you are doing and follow some one-size-fits-all network design which may or may not actually fit your business needs, but will most certainly cost you money at some point down the road. On the other hand, the third-party products and those infrastructure products that truly aim to support competitor's equipment have done nearly nothing to integrate onboarding with NAC agent installation, which is especially annoying in a college setting where just by asking students to install a resident agent is already pushing it, and you run the risk of having your students seek an alternative ISP or just camp out on your guest network. Nevermind if the process involves several minutes installing 4 separate packages for all your certs/supplicant settings/more-capable-than-builtin-clients. Sure you can script that yourself, but then you have to maintain that script through OS upgrades... which... well avoiding that is kind of the reason why you pay money to third party NAC vendors in the first place because you could just as well script a NAC agent. I've actually been researching this market for work and I have not seen a single compelling case by any of these vendors that their NAC product won't be a giant time vampire. Currently we are subsisting on the Enterasys/Extreme product which holds together very well as long as we try not to use too many features, but we haven't even gotten to roll out the agents after years of owning the product because some part of it has always managed to break every time we have tried, and the bugfixes take months if not years to arrive. Many in the industry have thrown up their hands at this situation and now walk around spouting nonsense about NAC being old fashioned and the new fancy is doing dynamic policy enforcement based on network scans and reactive firewall events... which of course you should do, but it is no substitute for NAC, and doesn't help you with the onboarding part either. Good luck. If you happen upon a product that looks promising, feel free to let me know. I'll either be grateful, or tell you all the things I know of that are wrong with it.